uy 


HONG KONG MONETARY AUTHORITY 
T VE Se a EY BH Jay 


Our Ref: B1/15C 
B9/67C 


5 November 2019 


The Chief Executive 
All Authorized Institutions 


Dear Sir / Madam, 


Consumer Protection in respect of Use of Big Data Analytics and Artificial 
Intelligence by Authorized Institutions 


I am writing to provide authorized institutions (“Als”) with a set of guiding 
principles on consumer protection aspects in respect of the use of big data 
analytics and artificial intelligence (““BDAT’). 


Under the Balanced and Responsive Supervision (“BRS”) initiative of the 
Hong Kong Monetary Authority (““HKMA”), BRS Roundtable is held by the 
HKMA to solicit feedback from the banking industry with a view to identifying 
possible enhancements to supervisory policies and requirements as well as 
emerging risks and market trends warranting supervisory attention. As 
reflected in a recent BRS Roundtable, the banking industry would welcome the 
HKMA to provide guidance in the form of guiding principles on consumer 
protection aspects in respect of the use of BDAI, which would be beneficial to 
banks, customers and the healthy development of BDAI in the banking sector 
as a whole, especially in enhancing customers’ confidence in using banking 
services adopting BDAI. 


In light of the above, the HKMA has developed some guiding principles on 
consumer protection aspects in respect of the use of BDAI, taking into account 
feedback from the banking industry and references from the “Updated Effective 
Approaches for Financial Consumer Protection in the Digital Age” 
promulgated by the Organisation for Economic Co-operation and Development 
(“OECD”). These guiding principles focus on four major areas, namely 
governance and accountability, fairness, transparency and disclosure, and data 
privacy and protection. Als should adopt a risk-based approach commensurate 
with the risks involved in their BDAI applications when applying these guiding 
principles. 
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1. Governance and accountability 


The board and senior management of Als should remain accountable for all the 
BDAlI-driven decisions and processes. Accordingly, they should ensure, among 
others: 


(a) appropriate governance, oversight and accountability framework which is 
established and documented; 


(b) appropriate level of explainability of the BDAI models including any 
algorithms (i.e. no black-box excuse), and that the models can be 
understood by the Als; 


(c) adherence to the consumer protection principles set out in the Code of 
Banking Practice, Treat Customers Fairly Charter and other applicable 
regulatory requirements, as in the case of providing conventional banking 
products and services. BDAI applications should also be consistent with 
Als’ corporate values and ethical standards which should include, among 
others, upholding customer-centric culture and principles; and 


(d) proper validation before launch of BDAI applications, and thereafter on- 
going reviews, to ensure the reliability, fairness, accuracy and relevance of 
the models, data used and the results. 


2. Fairness 


Als should ensure that BDAI models produce objective, consistent, ethical and 
fair outcomes to customers, which include ensuring, among others: 


(a) compliance with the applicable laws, including those relevant to 
discrimination; 


(b) customer access to basic banking services are not denied unjustifiably 
which will be against the spirit of financial inclusion; 


(c) customers’ financial capabilities, situation and needs, including their level 
of digital literacy, are taken into account; 


(d) the models used for the BDAI-driven decision are robust and have 
appropriately weighed all relevant variables; and 


(e) the possibility of manual intervention to mitigate irresponsible lending 
decisions where necessary (e.g. in cases involving higher risks or impacts 
from the automated decision). 


3. Transparency and disclosure 


Als should provide appropriate level of transparency to customers regarding 
their BDAI applications through proper, accurate and understandable disclosure. 
Accordingly, they should, among others: 


(a) make clear to customers, prior to service provision, that the relevant 
service is powered by BDAI technology and of the associated risks; 


(b) provide proper disclosure to customers so that customers could understand 
Als’ approach to using customer data; 


(c) make available a mechanism for customers to enquire and request reviews 
on the decisions made by the BDAI applications, and ensure that any 
related complaint handling and redress mechanism for BDAI-based 
products and services are accessible and fair; 


(d) provide explanations on what types of data are used, and what factors or 
how the models affect the BDAI-driven decisions, upon customers’ request 
and where appropriate. For the avoidance of doubt, such explanations to 
customers are not required for systems used for monitoring and prevention 
of frauds or money laundering / terrorist financing activities; 


(e) carry out appropriate consumer education to enhance consumers’ 
understanding on BDAI technology in banking services; and 


(f) ensure that relevant customer communications are clear and simple to 
understand. 


4. Data privacy and protection 


Als should implement effective protection measures to safeguard customer data. 
Accordingly, they should, among others: 


(a) if personal data are collected and processed by BDAI applications: 

- ensure compliance with the Personal Data (Privacy) Ordinance 
(“PDPO”) including the 6 Data Protection Principles, any relevant 
codes of practice issued or approved by the Privacy Commissioner for 
Personal Data (“PCPD”) giving practical guidance on compliance with 
the PDPO, and any other applicable local and overseas statutory or 
regulatory requirements; 

- pay regard to the relevant good practices issued by the PCPD related to 
BDAI and Fintech, including, among others, the “Ethical 
Accountability Framework” (the “Framework’’), the “Data Stewardship 


Accountability, Data Impact Assessments and Oversight Models” in 
support of the Framework, and the “Information Leaflet on Fintech”; 


(b) consider embedding data protection in the design of a product or system 
from the outset (i.e. “privacy by design”) and collecting and storing only 
the minimum amount of data for the minimum amount of time (i.e. “data 
minimisation”); and 


(c) where request for consent to the collection and use of personal data in 
relation to a banking product or service powered by BDAI technology is 
required, ensure that such consent is as clear and understandable as 
possible in the interests of ensuring informed consent. 


Taking into account the views of the banking industry, the HKMA would 
welcome the industry to develop worked examples on the application of the 
above guiding principles and explore joint effort on consumer education as 
appropriate. 


While this circular focuses on consumer protection aspects, Als should also 
refer to another circular issued by the HKMA dated 1 November 2019 on 
“High-level Principles on Artificial Intelligence” in the use of artificial 
intelligence applications. 


Should you have any questions regarding this circular, please feel free to 
contact Ms Stella Ma on 2878-8601 or Ms Teresa Chu on 2878-1563. 


Yours faithfully, 


Alan Au 
Executive Director (Banking Conduct) 


